Apple looking to get rid of passwords on iphone

6 views
Skip to first unread message

Mike Stay

unread,
Jan 22, 2022, 10:44:28 PMJan 22
to cap-...@googlegroups.com

William ML Leslie

unread,
Jan 22, 2022, 11:16:38 PMJan 22
to cap-talk
On Sun, 23 Jan 2022, 2:44 pm Mike Stay, <meta...@gmail.com> wrote:
https://twitter.com/rmondello/status/1484571223250067456

Clicked through the thread to read about something called WebAuthn. Have we discussed that? It looks like a decent start, but the question I feel I want an answer to is how do I do three-party auth if credentials are scoped to a hostname...

John Kemp

unread,
Jan 23, 2022, 6:01:45 AMJan 23
to cap-...@googlegroups.com
On 1/22/22 23:16, William ML Leslie wrote:
> On Sun, 23 Jan 2022, 2:44 pm Mike Stay, <meta...@gmail.com
> <mailto:meta...@gmail.com>> wrote:
>
> https://twitter.com/rmondello/status/1484571223250067456
> <https://twitter.com/rmondello/status/1484571223250067456>
>
>
> Clicked through the thread to read about something called WebAuthn. Have
> we discussed that?

WebAuthn is based on the work of the FIDO Alliance, which was intended
to be a standards-based answer to Apple's TouchID biometric authN. The
Apple implementation is excellent, as is Google's support for things
like Yubikey (USB-based devices). "Passwordless" authentication is now
actually real.

It looks like a decent start, but the question I feel
> I want an answer to is how do I do three-party auth if credentials are
> scoped to a hostname...

Well, in a way, there are already (at least) three parties in the
WebAuthn flow - the user, her browser, and the website (RP). I suppose
there's also the phone/biometric hardware, which must also be
authenticated in this flow. Which three parties are you thinking of?

This blog goes into some detail about WebAuthn on the iPhone, and
discusses what I consider a bit of an annoyance (although this is a
"standard", support isn't standard across software).

https://www.security-embedded.com/blog/2021/5/2/under-the-hood-webauthn-in-safari

- johnk

>
> --
> You received this message because you are subscribed to the Google
> Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to cap-talk+u...@googlegroups.com
> <mailto:cap-talk+u...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/cap-talk/CAHgd1hE9RKfz5xJ5AKN1p489LOAcRRpRve0QeP3fP_Xm1R%3DS9g%40mail.gmail.com
> <https://groups.google.com/d/msgid/cap-talk/CAHgd1hE9RKfz5xJ5AKN1p489LOAcRRpRve0QeP3fP_Xm1R%3DS9g%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Jonathan S. Shapiro

unread,
Jan 27, 2022, 12:18:47 PMJan 27
to cap-talk
The outcome of this may be unexpectedly interesting. Retinas and fingerprints are not meaningfully protected from search under the US 5th Amendment. In theory they should be, but in practice they are so easy to collect that ths restriction is frequently ignored by law enforcement during the initial arrest.  A password, pin, or other "something you know" is essential for maintenance of privacy.


Jonathan


To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/51ac9bef-6436-2432-b2f1-f2ec6545104c%40gmail.com.

Alan Karp

unread,
Jan 27, 2022, 1:15:31 PMJan 27
to cap-...@googlegroups.com
Indeed.  A few years ago I read an article that said by law you can be required to unlock your device with a fingerprint (this was before FaceID) but not a PIN or password.

--------------
Alan Karp


Mark S. Miller

unread,
Jan 27, 2022, 3:04:04 PMJan 27
to cap-talk
Good points. Perhaps this is Apple's way to capitulate to the national security state while saving face? We do not know how much secret pressure they're under.

Besides the legal point, you can also be physically forced to unlock with your body. By contrast, rubber hose attacks do not necessarily succeed at getting someone to divulge their password.





--
  Cheers,
  --MarkM
Reply all
Reply to author
Forward
0 new messages